T 2.163 Breach of limited use regarding the processing of personal data

Personal data must only be processed for the purpose it was collected or stored for the first time. There is the risk that this data is also processed for different purposes, to save the time and expenditure required for re-collecting the personal data and informing the persons concerned.

If personal data exclusively stored for the purposes of data protection control, information security, or for ensuring proper operation of a data processing system is used for different purposes, this is inadmissible.

A risk that the limited use is not observed is particularly applicable to automated retrieval procedures and other transmissions, as well as to links and/or interpretations of databases.

Processing personal data in defiance of the limited use may entail a fine or a custodial sentence and/or may cause consequences in the fields of service law or labour law. The person concerned may claim a right to damages.

Examples:

• The limited use is violated if a management uses log files used to store the login and logout of users to and from IT systems for reasons of information security and data protection in order to check attendance and behaviour.
• In an office, the number of characters used when creating documents is logged for the purposes of cost accounting. Additionally, this is to be inadmissibly used to determine the number of characters the employees are able to type.
• In the canteen of a company, the meals are paid by means of a combined employee and canteen card. The canteen accounting data is used in order to create individual health protection programmes without the employees having given their consent.